Part II of “How to Protect Your Smart Home in 2020” Mini-Series
Smart homes today contain many different types of devices made by multiple manufacturers. However, the ecosystem is extremely siloed. You have solutions from August, Google Nest and ring that have their own vertically integrated tech stacks. Starting from the devices, data is passed to the gateway, which is then sent to the cloud and finally to the application for processing. Using the August door lock as an example, the data being passed along this vertical tech stack is sensitive security credentials that will be used to tell the lock to either lock or unlock the door. Even the metadata from these devices can be valuable in understanding behaviour, usage and more. That is why many of these large tech giants have an incentive to own your smart home data. The consequence of this, is that tech giants have made these tech stacks inoperable across platforms. In doing so, they are keeping the data within their own walled garden.
The future looks much brighter. First of all, interoperability between these vertical tech stacks can be eliminated. We can create interoperable devices and gateways that use new IoT standards that are able to communicate with each other. We can have cloud environments that communicate without costly operations. We can even have applications that can share data with each other, eliminating the need to have so many apps on our smartphones to see and control our smart homes. Perhaps the most important part of this future is that data ownership does not reside with the corporations and will be a more human centered ecosystem where we own our data and can offer it to applications on an opt-in basis. Next, let’s take a look at some of the technologies that can make this future happen.
The first technology is Blockchain. If you think of blockchain as a trusted foundation rather than a computation or storage platform, it comes with many important benefits. The first of which is security. Blockchain is a distributed architecture which means it is highly resilient to attack. Next, Blockchain is interoperable. Instead of being vertically integrated, it is horizontally scalable. Third, it is Decentralized. It uses an open and neutral infrastructure that anyone can access and anyone can build on. Next, it’s programmable. Blockchain enables smart contracts which are trusted, automated transactions between peers. The last piece is continuity. Because Blockchain is decentralized and distributed, it’s a “never down” network with no single point of failure. For instance, you might have an IoT device from a manufacturer that no longer exists. Those IoT devices are no longer serviceable because the tech stacks that they operate in have been taken down. If we move these tech stacks to a decentralized blockchain, they could live even past where the manufacturer decided to shudder their doors. It’s important to understand that blockchain is not going to be the silver bullet that will solve everything. It is not the Panacea, but it’s a great foundation to layer on additional technologies that have built in trust and privacy as a priority.
One of the technologies that is important to layer on top of blockchain is secure hardware. It’s especially important when we talk about our smart home. Secure hardware is basically a special type of chip that is built into many types of devices today. The chip is called the Trusted Execution Environment (TEE) and it separates normal applications from applications that require full trust. You can have a “secure world” and “normal world” that can pass data between each other while isolating certain software and hardware processes. This guarantees the integrategrity and confidentiality of all data and processes executed within this special chip. While this may sound like science fiction, the truth is that secure hardware is everywhere and you use it almost every day. Even the chips in our iPhones that manage our biometrics, for example our fingerprints and face IDs, use this technology. The reason why we trust our phones to do that is because all this very sensitive information is processed within this very secure, isolated, hardware element. The chips on your credit card are also a form of secure hardware that protect the spending credentials. For those in the crypto space, hardware wallets such as Ledger Nano S offer secure hardware to help protect your private keys.
All of these secure hardware devices are active today. Unfortunately, they are closed and proprietary which does not allow us as users or developers to gain access and run new processes within them. We would like the ability to self define what we deem to be valuable as data and process that data within these secure elements. An open, programmable, and affordable secure ecosystem is coming. Secure hardware is created by some of the largest semiconductor companies in the world such as ARM, AMD, Intel, and NXP. In fact, while Moore’s law, which describes how devices get twice as fast every year, is beginning to hit its theoretical limit in terms of performance, we are now seeing devices getting twice as cheap every year. We will start to see these more advanced and expensive chips make their way into normal devices including those in your smart home. One piece of advice though, just like you read the nutrition facts for different types of foods that you put into your body you should also evaluate what types of devices you are putting into your homes. Whether it’s secure or unsecure.
The next enabling technology is Decentralized Identity. Decentralized Identity or DID is basically a way to issue identities and enable interoperability and data ownership for individual people, devices, and businesses. Today if you think about the schematic of your smart home, many of these devices do not have identities which means they cannot discover or be discovered by other devices. This makes them non-interoperable and many of the problems with non-interoperability in the IoT ecosystem is due to the lack of standardized identities.
If we take a look at the history of identity in the digital world, we start with centralized identity. In this case, you register once, and you are trusted by that one entity. This is very common today, and happens every time you go to a new website and it asks you to create a new username and password. The service provider will establish and maintain your identity. It’s important to note that because the service provider created your identity, they also have the ability to take it away. For example, if you are found to break the rules on Twitter, they can not only disable your account, but can give your old handle to someone else. Essentially giving your identity away to another user.
Another instance is called Federated Identity, where you register one identity and it is trusted by many entities. Service providers essentially trust the identities that have been established by other identity providers. For example, any time you go to a new website and it offers to log you in with Google or Facebook, this is using federated identity. However, similar to centralized identities, these identities can also be taken away. If you think about all the websites in which you use your Gmail email address to login, and Google decides to remove your account, you would also lose your identity on those sites.
The future is Decentralized Identity. In this case, you register once, and the identity is trusted globally by other individuals and entities. This mechanism is built on top of distributed ledgers where users can self manage their own identity. Users create their own identity and are the sole owner with the ability to modify the identity to add credentials or new information. Users can also offer that identity as a login to several services that they use. The main difference is that because you created the identity you are the sole owner. When this concept makes its way into our smart homes it will be important to understand that it’s not just the identity of us that matters but the identity of our devices.
Another thing that is going to enable interoperability and security of smart homes that we envision is IoT standardization. As you can see there are many standards working on everything from application layer to connectivity layer and from the B2C market to the B2B market. However, it is important that we identify unified standards for hardware, identity and connectivity which will enable an open ecosystem, improve interoperability, and protect security and privacy. Luckily there are a lot of great initiatives going on such as Project Connected Home over IP and the W3C. As more of these efforts from industry leaders emerge, we will start to see more standardization of devices. Stil, it’s important for us to continue to push for standardization from the user perspective.
The final element to add to the future smart home is secure encrypted communication.This item has made its way into the news recently with the security vulnerabilities found in the popular Zoom conferencing application. Zoom had made claims about their end-to-end encryption, however, it was discovered that it was not fully end-to-end encrypted but instead client-to-server encryption. Client-to-server encryption means that your data is encrypted between your mobile application and the cloud server it is connected to. However, the server will then decrypt the information for processing, establish data profiles, and other activities. Having this man-in-the-middle with your decrypted data is a source of vulnerability for attackers. These attacks can come, not only from outside attackers, but insider attackers such as cloud admins as well. For instance, Amazon recently fired a number of cloud admins for accessing user’s ring video feeds. Even though we are relatively protected from hackers, insider attacks are one of the most common forms of security threats.
A lot of what we do to patch up these problems today are done with regulations and with policies. GDPR in Europe and the CCPA, California Consumer Privacy Act, are now emerging and these regulations are very important to build transparency to how corporations use our data. While these organizations do not guarantee our privacy, they do provide an operational framework that allows us to ask: what data do you have on me? how will you use it? as well as the ability to request to delete it. Therefore, one thing that we need to do is build and adopt technologies that offer true end-to-end encryption. Instead of having a server in the middle to process your data, we can opt to have data processed at the edge or even local within the devices we use. By doing so, we can eliminate these insider attacks using end-to-end encryption.
To wrap up secure encrypted communications, sometimes end-to-end encryption is not enough given all the communications that happen between devices, networks, cloud, and applications. While end-to-end encryption might be able to protect the content for distribution, there is also metadata that can be very telling about our activities. Hop-by-hop encryption can help protect metadata and the data leakage that emerges from communications between devices. There are also technologies that allow you to embed public keys into devices so that we can do encryption without a 3rd party certificate authority. Finally, a globally distributed, “never down” network would be a great foundation to power and secure all these different encrypted communications.
How does this fix all the problems with today’s internet? When we put all of these new technologies together, we can see how these technologies address the vulnerabilities experienced by today’s smart home. First Secure HW available at the device level can help protect the software and processes running on those devices from exploits and malware. Decentralized Identity can protect against attacks that steal your credentials like Main-in-the-Middle attacks and the decentralized architecture helps protect against Denial of Service (DoS) attacks. Regarding secure communications, having end-to-end and hop-by-hop encryption helps protect against both Man-in-the-Middle and Eavesdropping attacks and the globally decentralized infrastructure can help mitigate DoS and DDoS attacks as well. Last is IoT Standards, which really does have an impact across many of these vulnerabilities. Standards make the risks public which helps to both expose and harden the security over time.
Let’s take a holistic view of the entire tech stack. Starting with Blockchain, which is a great tool for establishing trust. We see Blockchain as the basis to build trust for smart homes and its devices. On top of that, are gateways that offer built-in universal IoT standards along with Decentralized Identity to authenticate these devices and secure HW to provide a trusted execution environment for software. At the device level, you will also see Decentralized Identity and secure HW adopted, but you will also see data being processed on the devices themselves eliminating the need to send sensitive data to the cloud. These devices will become more powerful and more connected as devices communicate between devices or peer-to-peer. That is the picture of the smart home of the future.